Verifying install files (Zotero)

8 respostas [Última entrada]
GNUbahn
Desconectado
Joined: 02/18/2016

I wish to install Zotero (a powerful reference manager which is frees software). Unfortunately Zotero is not in Trisquel's repository (I wonder why not?). Hence one has to download the install file from the zotero.org. They don't provide checksums or other means for verification. On the Zotero forum, dstillman, who is an administrator at the zotero site, wrote:

Checksums are useful if you're downloading software via HTTP or from an untrusted mirror. If you're downloading from a trusted site via HTTPS, there's not really much benefit — if someone could modify the binaries (or, in the case of a PKI failure, serve you a different binary), there's a good chance they could modify the hashes too. While those would be in separate locations with separate access permissions, you basically have to trust us to protect our own infrastructure either way, since anything we could set up to post hashes to the website at build time we can do ourselves to monitor changes without people needing to verify hashes manually. Needless to say, we keep access to the deployment pipeline extremely locked down and monitor all changes.
And the same goes for updates, which Zotero downloads via HTTPS from zotero.org subdomains.
(On macOS and Windows the executables are also signed, but Linux doesn't support that, and in any case it doesn't provide much additional security as long as you know you're getting the file from zotero.org.)

If dstillman is right, does it mean that checksum'ing files has no meaning? And is he right?

andyprough
Desconectado
Joined: 02/12/2015

He's not right in terms of his company hosting the download infrastructure being any kind of assurance of security. Not too many years ago an extremely popular Windows utility called CCleaner had its download servers hacked, and it was serving up pure malware as "CCleaner updates" to some of the largest corporations in the world.

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

In that scenario, the attacker would modify the hashes as well, dstillman's point. Publishing the hashes would however allow somebody to get the binary from a redistributor (for instance from a friend with a pendrive) and still be able to check if it was tampered.

GNUbahn
Desconectado
Joined: 02/18/2016

In most cases I only install software from the Trisquel repo but for instance for Trisquel itself, replicant images etc I download the install files and verify them with shasum and gpg. I thought tha such verification is (or can be) crucial to security - but perhaps it is not as useful as I thought?

jxself
Desconectado
Joined: 09/13/2010

It's not helpful when the attacker can both add their own malicious version and also alter the posted checksums so that they match.

A better option is probably things like GPG signatures. Assuming that you trust the key (which is a whole different topic with assorted issues) then you can verify that a given file was signed with a given key.

GNUbahn
Desconectado
Joined: 02/18/2016

It's not helpful when the attacker can both add their own malicious version and also alter the posted checksums so that they match.

How likely are we to fall victims of such an offence?

jxself
Desconectado
Joined: 09/13/2010

Who knows. Didn't it happen with GNU/Linux Mint? https://blog.linuxmint.com/?p=2994

Don't forget that kernel.org was also compromised. If someone cracks a server to replace the downloadable programs they could also replace the checksums if they live in the same place. The attacker already has access to do the first and, if the checksums live on the same server in the same place, it would not be hard to take the additional step to change them to match.

For an example: I crack kernel.org, upload my own malicious version instead, and then replace this file so that it shows the stuff for my modified version:
https://cdn.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc

Now, that won't work for kernel.org because that message is also GPG-signed. People should not just rely on what it says but should also check the signature to make sure that I haven't done what I just described. My altering the message would invalidate the GPG signature and the tampering would only then be detected.

The same for the kernel source code: Check the GPG signature.

So; all that checksums give you is that the file was downloaded without some accidental corruption; it does not tell you that it's the same file that was originally uploaded. For that you need something else like the GPG signatures I mentioned earlier.

jxself
Desconectado
Joined: 09/13/2010

It's probably also worth mentioning that checking GPG signatures is also what the package manager does when you install programs from the Trisquel repo.

GNUbahn
Desconectado
Joined: 02/18/2016

Wasn't there also a case with Linux Mint?